A new variant of the Snake Keylogger malware is actively targeting Windows users across multiple countries, including China, Turkey, Indonesia, Taiwan, and Spain. According to Fortinet’s FortiGuard Labs, the malware has been responsible for over 280 million blocked infection attempts globally since the beginning of the year. The Snake Keylogger is typically delivered through phishing emails containing malicious attachments or links, which users unknowingly click, triggering the malware’s payload. Designed to steal sensitive information, the keylogger captures keystrokes, logs credentials from popular browsers like Chrome, Edge, and Firefox, and monitors the clipboard for valuable data.
What sets this variant apart is its use of the AutoIt scripting language to deliver and execute the malware’s main payload, a technique that allows the malware to bypass traditional detection mechanisms. The executable file containing the malware is an AutoIt-compiled binary, which makes static analysis difficult by embedding the payload within the script itself. This method also enables dynamic behavior that mimics benign automation tools, complicating the detection process even further. The result is a more stealthy and persistent form of malware that is harder for traditional security systems to identify.
Once the Snake Keylogger is executed on a compromised system, it drops copies of itself in various locations, including a file named “ageless.exe” in the “%Local_AppData%\supergroup” folder.
Additionally, it places a Visual Basic Script (VBS) file called “ageless.vbs” in the Windows Startup folder, ensuring that the malware is launched every time the system reboots. This persistence mechanism allows Snake Keylogger to maintain access to the compromised system, even if the initial process is terminated. This continuous presence ensures that the malware can resume its malicious activities without being easily eradicated.
The keylogger also uses advanced techniques to avoid detection by injecting its payload into legitimate .NET processes like “regsvcs.exe” through a method known as process hollowing. This process allows the malware to conceal itself within a trusted system process, making it harder for security tools to identify its presence. Additionally, Snake Keylogger uses external services like checkip.dyndns[.]org to retrieve the victim’s IP address and geolocation. Its main goal is to capture sensitive input, such as banking credentials, by logging keystrokes, making it a serious threat to users in the affected countries.
